I'm running OpenSSH 5.1p1 on openSUSE 10.3 (i586) and I want to setup chroot
jails for certain
SFTP-only users. I use the following lines in my sshd_config file:
Match Group sftponly
ChrootDirectory /home/chroot-%u
ForceCommand internal-sftp
It works great.
The problem is that some of my users need umask 002 for their uploads. I tried
a few ways to
achieve this:
* set umask in sshrc, .profile, etc... fails because no shell is used with
internal-sftp
* set the umask to 002 before launching sshd so the sftp server process will
inherit it...
fails because sshd resets umask to a minimum of 022 on startup (seems like a
good idea)
My solution was to add an option for internal-sftp that sets the umask. So, I
can put this in my
configuration:
Match Group sftponly
ChrootDirectory /home/chroot-%u
ForceCommand internal-sftp -u 002
I've attached my patch. It's working with no problems for me.
Please consider including this change or something similar in the next release.
--
Will Johnston
Hawaii Information Consortium, LLC
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sftp-umask.patch
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090108/c5ef31cf/attachment-0001.ksh
Will Johnston schrieb:> I'm running OpenSSH 5.1p1 on openSUSE 10.3 (i586) and I want to setup > chroot jails for certain SFTP-only users. I use the following lines > in my sshd_config file: > > Match Group sftponly > ChrootDirectory /home/chroot-%u > ForceCommand internal-sftp > > It works great. > > The problem is that some of my users need umask 002 for their > uploads. I tried a few ways to achieve this: > > * set umask in sshrc, .profile, etc... fails because no shell is used > with internal-sftp > > * set the umask to 002 before launching sshd so the sftp server > process will inherit it... > fails because sshd resets umask to a minimum of 022 on startup > (seems like a good idea) > > My solution was to add an option for internal-sftp that sets the > umask. So, I can put this in my configuration: > > Match Group sftponly > ChrootDirectory /home/chroot-%u > ForceCommand internal-sftp -u 002 > > I've attached my patch. It's working with no problems for me. > > Please consider including this change or something similar in the next > release.Hey, There also is the sftp file control patch, located here: http://sftpfilecontrol.sourceforge.net/ It also adds a configure parameter to the conf file, which lets you set the umask. In addition to that, you can forbid the use of chmod and chown for sftp connections. I really would like to see this integrated into openssh! Regards, Samy
Maybe Matching Threads
- [Bug 2282] New: When group member count exceeds 126, config reliant fails
- Syslog for chroot-jailed SFTP users?
- [Bug 1844] New: Explicit file permissions enhancement to sftp-server
- [Bug 1616] New: root owned empty subdirs are deletable by chroot users
- [Bug 1951] New: Add home directory facility for chrooted environments